Wannacry Ransomware Attack (Woodward)

Starting early Friday morning (May 12), ransomware attacks using an exploit for the SMB (Server Message Block) protocol on Microsoft Windows were executed across businesses in hundreds of countries. The ransomware effected a number of businesses in a variety of industries. The ransomware goes by various names such as WannaCry, Wcry, WannaCrypt, or Wanna Decryptor.

Description

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017 for Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2012, and Windows 10. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 (link is external) operating systems on May 13, 2017. The WannaCry ransomware will spread through the SMB vulnerability from an infected machine.

One possible infection vector may be through phishing or opening infected documents from unknown sources.

Affected Units

Customers using Microsoft Windows operating systems are affected by WannaCry ransomware. Woodward controls (MicroNet, MicroNet+, Atlas, 505) are not affected by the ransomware. Microsoft Windows devices may be used with a Woodward control to provide HMI (Human Machine Interface) capabilities in the control system.

Corrective Action

The following description and guidance is from US-CERT Alert (TA17-132A). Woodward recommends reviewing the Impact and implementing the Recommended Steps for Prevention and Recommendations for Network Protection:

Impact

Woodward controls (MicroNet, MicroNet+, Atlas, 505) are not directly affected by the WannaCry ransomware. However, devices used to monitor and control Woodward products (Windows-based HMI computers, for example) may be impacted. Devices impacted by WannaCry may lead to a disruption of control system operations or a loss of control system visibility.

Other consequences: Ransomware not only targets home users but businesses as well. Businessess infected with ransomware can experience negative consequences that include: • temporary or permanent loss of sensitive or proprietary information • disruption of regular operations • financial losses incurred to restore systems and files • potential harm to an organization’s reputation

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution for Microsoft-based devices (computers and servers) Recommended Steps for Prevention • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017. • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in- bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) to prevent email spoofing. • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users. • Ensure that anti-virus and anti-malware solutions are set to automatically conduct regular scans. • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should use them only when necessary. • Configure access controls including file, directory, and network share permissions with least privilege in mind. If users only need to read specific files, they should not have write access to those files, directories, or shares. • Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications. • Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering. • Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical. • Test your backups to ensure they work correctly upon use.

Recommendations for Network Protection Apply the patch (MS17-010). If the patch cannot be applied, consider: • Disabling SMBv1 and • Blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.